What is clickjacking? Clickjacking is when someone maliciously manipulates a website user's activity by hiding hyperlinks beneath legitimate buttons or other content. This can cause the user to take unintended action, putting their information at risk. For example, if you display your donation form on a Facebook page hosted in an iFrame, a malicious person could mock your form in their own iFrame and hijack the constituent's information when entered into their form.
Why is it a concern? If your organization displays Luminate Online pages within a frame or iframe, it's possible that hacker could abuse those frame pages.
What do I need to do? Any site that uses a Luminate Online-hosted page in a frame needs to be whitelisted in the SEC_CSP_FRAME_ANCESTORS_DOMAINS SDP. If you utilize frames to pull content from LO into LCMS, you will also need to whitelist your CMS domain.
How do I whitelist my site domains that use Luminate Online-hosted pages in an iframe? Note: When this site setting is blank and has not been used before, the initial character limitation is 255 characters. If you need to whitelist domains in excess of 255 characters, please enter at least 30 characters in the text field and Save. This will raise the limit to 1000 characters.
- Select Setup > Site Options
- Click Go
- Search for the SEC_CSP_FRAME_ANCESTOR_DOMAINS option
- Enter a space-separated list of any site domain that uses Luminate Online-hosted pages in a frame. These domains will be able to embed content from this site. We have already whitelisted the following domains:
- convio.net Luminate site